Rogue HackerOne Employee Steals Bug Reports to Sell on the Side
A HackerOne employee stole vulnerability reports submitted through the bug bounty platform and disclosed them to affected customers to claim financial rewards.
The rogue worker had contacted about half a dozen HackerOne customers and collected bounties “in a handful of disclosures,” the company said on Friday.
HackerOne is a platform for coordinating vulnerability disclosures and intermediating monetary rewards for the bug hunter submitting the security reports.
Catching the culprit
On June 22, HackerOne responded to a customer request to investigate a suspicious vulnerability disclosure through an off-platform communication channel from someone using the handle “rzlr.”
The customer had noticed that the same security issue had been previously submitted through HackerOne.
Bug collisions, where multiple researchers find and report the same security issue, are frequent; in this case, the genuine report and the one from the threat actor shared obvious similarities that prompted a closer look.
HackerOne’s investigation determined that one of its employees had access to the platform for over two months, since they joined the company on April 4th until June 23, and contacted seven companies to report vulnerabilities already disclosed through its system.
Threat actor got paid
The rogue employee received bounties for some of the reports they submitted, the company said. This allowed HackerOne to follow the money trail and identify the perpetrator as one of its workers that triaged vulnerability disclosures for “numerous customer programs.”
“The threat actor created a HackerOne sockpuppet account and had received bounties in a handful of disclosures. After identifying these bounties as likely improper, HackerOne reached out to the relevant payment providers, who worked cooperatively with us to provide additional information” – HackerOne
Analyzing the threat actor’s network traffic revealed more evidence that linked their primary and sockpuppet accounts on HackerOne.
Less than 24 hours after starting the investigation, the bug bounty platform identified the threat actor, terminated their system access, and remotely locked their laptop pending the inquiry.
For the next few days, HackerOne did remote forensics imaging and analysis of the suspect’s computer and completed reviewing the data access logs for that employee for the duration of the employment to determine all bug bounty programs the threat actor interacted with.
On June 30, HackerOne terminated the employment of the threat actor.
“Subject to review with counsel, we will decide whether criminal referral of this matter is appropriate. We continue forensic analysis on the logs produced and devices used by the former employee” – HackerOne
HackerOne notes that its former employee had used “threatening” and “intimidating” language in their interaction with customers and urged customers to contact the company if they received disclosures made in an aggressive tone.
The company says that “in the vast majority of cases” it has no evidence of vulnerability data having been misused. However, customers that had reports accessed by the inside threat actor, either for nefarious or legitimate purposes, have been informed individually of dates and times of access for each vulnerability disclosure.
HackerOne also notified hackers on the platform whose submissions had been accessed by the rogue employee:
The notification informs the hackers of the incident and includes a list of the reports the threat actor accessed either legitimately, as part of their job, or with the intention to abuse the vulnerabilities submitted.
Update [July 3, 14:21 EST]: Article updated with HackerOne notification to hackers with reports accessed by the rogue employee.